Analysis
-
max time kernel
111s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
16-12-2024 09:08
Behavioral task
behavioral1
Sample
212233c1038ede44ca3833081b8e6a4e75c656abe884aac412bef2b5b2dd51a6N.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
212233c1038ede44ca3833081b8e6a4e75c656abe884aac412bef2b5b2dd51a6N.exe
Resource
win10v2004-20241007-en
General
-
Target
212233c1038ede44ca3833081b8e6a4e75c656abe884aac412bef2b5b2dd51a6N.exe
-
Size
880KB
-
MD5
0ae61fbe5369cf1bff062e29986d2920
-
SHA1
12bb8851d08c99ba0f87598422d5cb681aa9b415
-
SHA256
212233c1038ede44ca3833081b8e6a4e75c656abe884aac412bef2b5b2dd51a6
-
SHA512
c35924633f285e554d98ebc5d6b5bb381e3831299837cdd62a18b5df479a725991989ebc0fb44080f0f45430b8986090df46cafb282ed7869e712eccf2b99b63
-
SSDEEP
24576:YxesON826V84ViythW8GTFThS6qFHAOet3GstG2ReuVyh:Yxe826lViybCZiEE/h
Malware Config
Signatures
-
Detect Neshta payload 1 IoCs
resource yara_rule behavioral1/files/0x0001000000010314-19.dat family_neshta -
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
-
Neshta family
-
Executes dropped EXE 2 IoCs
pid Process 1272 212233c1038ede44ca3833081b8e6a4e75c656abe884aac412bef2b5b2dd51a6N.exe 2968 212233c1038ede44ca3833081b8e6a4e75c656abe884aac412bef2b5b2dd51a6N.tmp -
Loads dropped DLL 9 IoCs
pid Process 2524 212233c1038ede44ca3833081b8e6a4e75c656abe884aac412bef2b5b2dd51a6N.exe 1272 212233c1038ede44ca3833081b8e6a4e75c656abe884aac412bef2b5b2dd51a6N.exe 2968 212233c1038ede44ca3833081b8e6a4e75c656abe884aac412bef2b5b2dd51a6N.tmp 2968 212233c1038ede44ca3833081b8e6a4e75c656abe884aac412bef2b5b2dd51a6N.tmp 2968 212233c1038ede44ca3833081b8e6a4e75c656abe884aac412bef2b5b2dd51a6N.tmp 2968 212233c1038ede44ca3833081b8e6a4e75c656abe884aac412bef2b5b2dd51a6N.tmp 2968 212233c1038ede44ca3833081b8e6a4e75c656abe884aac412bef2b5b2dd51a6N.tmp 2968 212233c1038ede44ca3833081b8e6a4e75c656abe884aac412bef2b5b2dd51a6N.tmp 2524 212233c1038ede44ca3833081b8e6a4e75c656abe884aac412bef2b5b2dd51a6N.exe -
Modifies system executable filetype association 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" 212233c1038ede44ca3833081b8e6a4e75c656abe884aac412bef2b5b2dd51a6N.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\PROGRA~2\WINDOW~1\WinMail.exe 212233c1038ede44ca3833081b8e6a4e75c656abe884aac412bef2b5b2dd51a6N.exe File opened for modification C:\PROGRA~2\WINDOW~2\ACCESS~1\wordpad.exe 212233c1038ede44ca3833081b8e6a4e75c656abe884aac412bef2b5b2dd51a6N.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOXMLED.EXE 212233c1038ede44ca3833081b8e6a4e75c656abe884aac412bef2b5b2dd51a6N.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSTORE.EXE 212233c1038ede44ca3833081b8e6a4e75c656abe884aac412bef2b5b2dd51a6N.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\CLVIEW.EXE 212233c1038ede44ca3833081b8e6a4e75c656abe884aac412bef2b5b2dd51a6N.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\CNFNOT32.EXE 212233c1038ede44ca3833081b8e6a4e75c656abe884aac412bef2b5b2dd51a6N.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSOSYNC.EXE 212233c1038ede44ca3833081b8e6a4e75c656abe884aac412bef2b5b2dd51a6N.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\POWERPNT.EXE 212233c1038ede44ca3833081b8e6a4e75c656abe884aac412bef2b5b2dd51a6N.exe File opened for modification C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBEU~1.EXE 212233c1038ede44ca3833081b8e6a4e75c656abe884aac412bef2b5b2dd51a6N.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\ODeploy.exe 212233c1038ede44ca3833081b8e6a4e75c656abe884aac412bef2b5b2dd51a6N.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe 212233c1038ede44ca3833081b8e6a4e75c656abe884aac412bef2b5b2dd51a6N.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~3.EXE 212233c1038ede44ca3833081b8e6a4e75c656abe884aac412bef2b5b2dd51a6N.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOBD5D~1.EXE 212233c1038ede44ca3833081b8e6a4e75c656abe884aac412bef2b5b2dd51a6N.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\NAMECO~1.EXE 212233c1038ede44ca3833081b8e6a4e75c656abe884aac412bef2b5b2dd51a6N.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\ONENOTEM.EXE 212233c1038ede44ca3833081b8e6a4e75c656abe884aac412bef2b5b2dd51a6N.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\XLICONS.EXE 212233c1038ede44ca3833081b8e6a4e75c656abe884aac412bef2b5b2dd51a6N.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\ACROBR~1.EXE 212233c1038ede44ca3833081b8e6a4e75c656abe884aac412bef2b5b2dd51a6N.exe File opened for modification C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBE_~1.EXE 212233c1038ede44ca3833081b8e6a4e75c656abe884aac412bef2b5b2dd51a6N.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmpconfig.exe 212233c1038ede44ca3833081b8e6a4e75c656abe884aac412bef2b5b2dd51a6N.exe File opened for modification C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE 212233c1038ede44ca3833081b8e6a4e75c656abe884aac412bef2b5b2dd51a6N.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\ACCICONS.EXE 212233c1038ede44ca3833081b8e6a4e75c656abe884aac412bef2b5b2dd51a6N.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\misc.exe 212233c1038ede44ca3833081b8e6a4e75c656abe884aac412bef2b5b2dd51a6N.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\A3DUTI~1.EXE 212233c1038ede44ca3833081b8e6a4e75c656abe884aac412bef2b5b2dd51a6N.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\EQUATION\EQNEDT32.EXE 212233c1038ede44ca3833081b8e6a4e75c656abe884aac412bef2b5b2dd51a6N.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSOHTMED.EXE 212233c1038ede44ca3833081b8e6a4e75c656abe884aac412bef2b5b2dd51a6N.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmlaunch.exe 212233c1038ede44ca3833081b8e6a4e75c656abe884aac412bef2b5b2dd51a6N.exe File opened for modification C:\PROGRA~2\WI54FB~1\WMPDMC.exe 212233c1038ede44ca3833081b8e6a4e75c656abe884aac412bef2b5b2dd51a6N.exe File opened for modification C:\PROGRA~2\Google\Update\DISABL~1.EXE 212233c1038ede44ca3833081b8e6a4e75c656abe884aac412bef2b5b2dd51a6N.exe File opened for modification C:\PROGRA~2\INTERN~1\iexplore.exe 212233c1038ede44ca3833081b8e6a4e75c656abe884aac412bef2b5b2dd51a6N.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\GRAPH.EXE 212233c1038ede44ca3833081b8e6a4e75c656abe884aac412bef2b5b2dd51a6N.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmplayer.exe 212233c1038ede44ca3833081b8e6a4e75c656abe884aac412bef2b5b2dd51a6N.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\WORDICON.EXE 212233c1038ede44ca3833081b8e6a4e75c656abe884aac412bef2b5b2dd51a6N.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\DW\DWTRIG20.EXE 212233c1038ede44ca3833081b8e6a4e75c656abe884aac412bef2b5b2dd51a6N.exe File opened for modification C:\PROGRA~2\INTERN~1\ieinstal.exe 212233c1038ede44ca3833081b8e6a4e75c656abe884aac412bef2b5b2dd51a6N.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSTORDB.EXE 212233c1038ede44ca3833081b8e6a4e75c656abe884aac412bef2b5b2dd51a6N.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\SELFCERT.EXE 212233c1038ede44ca3833081b8e6a4e75c656abe884aac412bef2b5b2dd51a6N.exe File opened for modification C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE 212233c1038ede44ca3833081b8e6a4e75c656abe884aac412bef2b5b2dd51a6N.exe File opened for modification C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE 212233c1038ede44ca3833081b8e6a4e75c656abe884aac412bef2b5b2dd51a6N.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\ADOBEC~1.EXE 212233c1038ede44ca3833081b8e6a4e75c656abe884aac412bef2b5b2dd51a6N.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~4.EXE 212233c1038ede44ca3833081b8e6a4e75c656abe884aac412bef2b5b2dd51a6N.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\DW\DW20.EXE 212233c1038ede44ca3833081b8e6a4e75c656abe884aac412bef2b5b2dd51a6N.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\FLTLDR.EXE 212233c1038ede44ca3833081b8e6a4e75c656abe884aac412bef2b5b2dd51a6N.exe File opened for modification C:\PROGRA~2\INTERN~1\ielowutil.exe 212233c1038ede44ca3833081b8e6a4e75c656abe884aac412bef2b5b2dd51a6N.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\VPREVIEW.EXE 212233c1038ede44ca3833081b8e6a4e75c656abe884aac412bef2b5b2dd51a6N.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmprph.exe 212233c1038ede44ca3833081b8e6a4e75c656abe884aac412bef2b5b2dd51a6N.exe File opened for modification C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE 212233c1038ede44ca3833081b8e6a4e75c656abe884aac412bef2b5b2dd51a6N.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\Eula.exe 212233c1038ede44ca3833081b8e6a4e75c656abe884aac412bef2b5b2dd51a6N.exe File opened for modification C:\PROGRA~2\COMMON~1\ADOBEA~1\Versions\1.0\ADOBEA~1.EXE 212233c1038ede44ca3833081b8e6a4e75c656abe884aac412bef2b5b2dd51a6N.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\AcroRd32.exe 212233c1038ede44ca3833081b8e6a4e75c656abe884aac412bef2b5b2dd51a6N.exe File opened for modification C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE 212233c1038ede44ca3833081b8e6a4e75c656abe884aac412bef2b5b2dd51a6N.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\WINWORD.EXE 212233c1038ede44ca3833081b8e6a4e75c656abe884aac412bef2b5b2dd51a6N.exe File opened for modification C:\PROGRA~2\WI54FB~1\setup_wm.exe 212233c1038ede44ca3833081b8e6a4e75c656abe884aac412bef2b5b2dd51a6N.exe File opened for modification C:\PROGRA~2\WINDOW~4\ImagingDevices.exe 212233c1038ede44ca3833081b8e6a4e75c656abe884aac412bef2b5b2dd51a6N.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\GROOVEMN.EXE 212233c1038ede44ca3833081b8e6a4e75c656abe884aac412bef2b5b2dd51a6N.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\INFOPATH.EXE 212233c1038ede44ca3833081b8e6a4e75c656abe884aac412bef2b5b2dd51a6N.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\TextConv\WksConv\Wkconv.exe 212233c1038ede44ca3833081b8e6a4e75c656abe884aac412bef2b5b2dd51a6N.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~1.EXE 212233c1038ede44ca3833081b8e6a4e75c656abe884aac412bef2b5b2dd51a6N.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\1033\ONELEV.EXE 212233c1038ede44ca3833081b8e6a4e75c656abe884aac412bef2b5b2dd51a6N.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSOUC.EXE 212233c1038ede44ca3833081b8e6a4e75c656abe884aac412bef2b5b2dd51a6N.exe File opened for modification C:\PROGRA~2\WI4223~1\sidebar.exe 212233c1038ede44ca3833081b8e6a4e75c656abe884aac412bef2b5b2dd51a6N.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Resource\Icons\SC_REA~1.EXE 212233c1038ede44ca3833081b8e6a4e75c656abe884aac412bef2b5b2dd51a6N.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\LICLUA.EXE 212233c1038ede44ca3833081b8e6a4e75c656abe884aac412bef2b5b2dd51a6N.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\Oarpmany.exe 212233c1038ede44ca3833081b8e6a4e75c656abe884aac412bef2b5b2dd51a6N.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\SOURCE~1\OSE.EXE 212233c1038ede44ca3833081b8e6a4e75c656abe884aac412bef2b5b2dd51a6N.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\svchost.com 212233c1038ede44ca3833081b8e6a4e75c656abe884aac412bef2b5b2dd51a6N.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 212233c1038ede44ca3833081b8e6a4e75c656abe884aac412bef2b5b2dd51a6N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 212233c1038ede44ca3833081b8e6a4e75c656abe884aac412bef2b5b2dd51a6N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 212233c1038ede44ca3833081b8e6a4e75c656abe884aac412bef2b5b2dd51a6N.tmp -
Modifies registry class 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" 212233c1038ede44ca3833081b8e6a4e75c656abe884aac412bef2b5b2dd51a6N.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2968 212233c1038ede44ca3833081b8e6a4e75c656abe884aac412bef2b5b2dd51a6N.tmp 2968 212233c1038ede44ca3833081b8e6a4e75c656abe884aac412bef2b5b2dd51a6N.tmp -
Suspicious use of WriteProcessMemory 42 IoCs
description pid Process procid_target PID 2524 wrote to memory of 1272 2524 212233c1038ede44ca3833081b8e6a4e75c656abe884aac412bef2b5b2dd51a6N.exe 30 PID 2524 wrote to memory of 1272 2524 212233c1038ede44ca3833081b8e6a4e75c656abe884aac412bef2b5b2dd51a6N.exe 30 PID 2524 wrote to memory of 1272 2524 212233c1038ede44ca3833081b8e6a4e75c656abe884aac412bef2b5b2dd51a6N.exe 30 PID 2524 wrote to memory of 1272 2524 212233c1038ede44ca3833081b8e6a4e75c656abe884aac412bef2b5b2dd51a6N.exe 30 PID 1272 wrote to memory of 2968 1272 212233c1038ede44ca3833081b8e6a4e75c656abe884aac412bef2b5b2dd51a6N.exe 31 PID 1272 wrote to memory of 2968 1272 212233c1038ede44ca3833081b8e6a4e75c656abe884aac412bef2b5b2dd51a6N.exe 31 PID 1272 wrote to memory of 2968 1272 212233c1038ede44ca3833081b8e6a4e75c656abe884aac412bef2b5b2dd51a6N.exe 31 PID 1272 wrote to memory of 2968 1272 212233c1038ede44ca3833081b8e6a4e75c656abe884aac412bef2b5b2dd51a6N.exe 31 PID 1272 wrote to memory of 2968 1272 212233c1038ede44ca3833081b8e6a4e75c656abe884aac412bef2b5b2dd51a6N.exe 31 PID 1272 wrote to memory of 2968 1272 212233c1038ede44ca3833081b8e6a4e75c656abe884aac412bef2b5b2dd51a6N.exe 31 PID 1272 wrote to memory of 2968 1272 212233c1038ede44ca3833081b8e6a4e75c656abe884aac412bef2b5b2dd51a6N.exe 31 PID 2968 wrote to memory of 636 2968 212233c1038ede44ca3833081b8e6a4e75c656abe884aac412bef2b5b2dd51a6N.tmp 32 PID 2968 wrote to memory of 636 2968 212233c1038ede44ca3833081b8e6a4e75c656abe884aac412bef2b5b2dd51a6N.tmp 32 PID 2968 wrote to memory of 636 2968 212233c1038ede44ca3833081b8e6a4e75c656abe884aac412bef2b5b2dd51a6N.tmp 32 PID 2968 wrote to memory of 636 2968 212233c1038ede44ca3833081b8e6a4e75c656abe884aac412bef2b5b2dd51a6N.tmp 32 PID 636 wrote to memory of 2816 636 cmd.exe 34 PID 636 wrote to memory of 2816 636 cmd.exe 34 PID 636 wrote to memory of 2816 636 cmd.exe 34 PID 636 wrote to memory of 2824 636 cmd.exe 35 PID 636 wrote to memory of 2824 636 cmd.exe 35 PID 636 wrote to memory of 2824 636 cmd.exe 35 PID 636 wrote to memory of 2944 636 cmd.exe 36 PID 636 wrote to memory of 2944 636 cmd.exe 36 PID 636 wrote to memory of 2944 636 cmd.exe 36 PID 636 wrote to memory of 2756 636 cmd.exe 37 PID 636 wrote to memory of 2756 636 cmd.exe 37 PID 636 wrote to memory of 2756 636 cmd.exe 37 PID 636 wrote to memory of 2812 636 cmd.exe 38 PID 636 wrote to memory of 2812 636 cmd.exe 38 PID 636 wrote to memory of 2812 636 cmd.exe 38 PID 636 wrote to memory of 2836 636 cmd.exe 39 PID 636 wrote to memory of 2836 636 cmd.exe 39 PID 636 wrote to memory of 2836 636 cmd.exe 39 PID 636 wrote to memory of 2892 636 cmd.exe 40 PID 636 wrote to memory of 2892 636 cmd.exe 40 PID 636 wrote to memory of 2892 636 cmd.exe 40 PID 636 wrote to memory of 1336 636 cmd.exe 41 PID 636 wrote to memory of 1336 636 cmd.exe 41 PID 636 wrote to memory of 1336 636 cmd.exe 41 PID 636 wrote to memory of 2500 636 cmd.exe 42 PID 636 wrote to memory of 2500 636 cmd.exe 42 PID 636 wrote to memory of 2500 636 cmd.exe 42
Processes
-
C:\Users\Admin\AppData\Local\Temp\212233c1038ede44ca3833081b8e6a4e75c656abe884aac412bef2b5b2dd51a6N.exe"C:\Users\Admin\AppData\Local\Temp\212233c1038ede44ca3833081b8e6a4e75c656abe884aac412bef2b5b2dd51a6N.exe"1⤵
- Loads dropped DLL
- Modifies system executable filetype association
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2524 -
C:\Users\Admin\AppData\Local\Temp\3582-490\212233c1038ede44ca3833081b8e6a4e75c656abe884aac412bef2b5b2dd51a6N.exe"C:\Users\Admin\AppData\Local\Temp\3582-490\212233c1038ede44ca3833081b8e6a4e75c656abe884aac412bef2b5b2dd51a6N.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1272 -
C:\Users\Admin\AppData\Local\Temp\is-SP4AA.tmp\212233c1038ede44ca3833081b8e6a4e75c656abe884aac412bef2b5b2dd51a6N.tmp"C:\Users\Admin\AppData\Local\Temp\is-SP4AA.tmp\212233c1038ede44ca3833081b8e6a4e75c656abe884aac412bef2b5b2dd51a6N.tmp" /SL5="$40156,468623,97792,C:\Users\Admin\AppData\Local\Temp\3582-490\212233c1038ede44ca3833081b8e6a4e75c656abe884aac412bef2b5b2dd51a6N.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2968 -
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /C ""C:\Users\Admin\AppData\Local\Temp\is-JF0O2.tmp\Win_ver.bat""4⤵
- Suspicious use of WriteProcessMemory
PID:636 -
C:\Windows\system32\find.exefind /i "6.2.9200"5⤵PID:2816
-
-
C:\Windows\system32\find.exefind /i "6.3.9600"5⤵PID:2824
-
-
C:\Windows\system32\find.exefind /i "10.0."5⤵PID:2944
-
-
C:\Windows\system32\find.exefind /i "6.1.7601"5⤵PID:2756
-
-
C:\Windows\system32\find.exefind /i "10.0.14393"5⤵PID:2812
-
-
C:\Windows\system32\find.exefind /i "10.0.15063"5⤵PID:2836
-
-
C:\Windows\system32\find.exefind /i "10.0.16299"5⤵PID:2892
-
-
C:\Windows\system32\find.exefind /i "10.0.17134"5⤵PID:1336
-
-
C:\Windows\system32\find.exefind /i "10.0.17763"5⤵PID:2500
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
547KB
MD5cf6c595d3e5e9667667af096762fd9c4
SHA19bb44da8d7f6457099cb56e4f7d1026963dce7ce
SHA256593e60cc30ae0789448547195af77f550387f6648d45847ea244dd0dd7abf03d
SHA512ff4f789df9e6a6d0fbe12b3250f951fcf11e857906c65e96a30bb46266e7e1180d6103a03db2f3764e0d1346b2de7afba8259ba080057e4a268e45e8654dfa80
-
Filesize
40B
MD5082f2e97e670228e3b323c6a3a874f40
SHA1e50760edb5e88385449a44818f5726e5beed7aab
SHA256292bf366a534157e5414f344218c9df828e2f211617fc84352f3ab2564050941
SHA512ad96826fb4a9ad5296acf1136bd81348492b4e191ba7936fe515a254f7bb789ab7bb3b939a5b9094b0fdaca9b4ad0f0445034a6eb2d78bd1529c2e638eafbe91
-
Filesize
1KB
MD53cb6a90e67d6605abdc3602292e5ef2b
SHA1bd80bd159e6033d3bb40bf262c1f8412a29c6893
SHA2564b1a34abf4dc7a7b98507b1b37eae6a0da5ce951cde221ab426a56988b834f89
SHA512bd0942de8ec0db64fccaa3dac9773a44f219a6eeaf5a969a55db8aa861e247c9a3ef1404ac59fe6addc198e87afc1721eb4fdd36f1b3df03277ec9bc8f6732bc
-
Filesize
252KB
MD59e2b9928c89a9d0da1d3e8f4bd96afa7
SHA1ec66cda99f44b62470c6930e5afda061579cde35
SHA2568899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043
SHA5122ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156
-
\Users\Admin\AppData\Local\Temp\3582-490\212233c1038ede44ca3833081b8e6a4e75c656abe884aac412bef2b5b2dd51a6N.exe
Filesize840KB
MD5d7c6b9469a8ade82b4fcff029e9c30f7
SHA16266b2fa8358e55eb8957475202352f938791d04
SHA25649ccd90828bb0908c40cd557212ceb6d1c4acdd867cb986c44148f4faea751b9
SHA512b8c65ab2414ad06baba7e8271d6c0466abf562e6bdd4f03e31c8794f75e33200bdde12236edd12095c3251e9cc3c31df8007eb3f9cddd74baedf5c9da79bc9e4
-
Filesize
154KB
MD53aa93aebd65e6816be4829e57f58e0c2
SHA137ea752eae1ae3e3630776d26d09b446e86cf83a
SHA2561e25cf231be401d20c332afc3e399ce4323340612cd8ef4ce344f080aab2c283
SHA5127ff18e1b3405860fc8880b6c4cd85e15b9b68587436bbb2d3153154f571dd70a0d3f8ec651686478b2f66e7407ce7ab59cb81f35be9f8c8bcb7ab78e4c9de5f3
-
Filesize
821KB
MD56afcf673714e1c0f88e443b07867cad7
SHA1acf6a8927231ab1e47249a05d45c55b0d0133c38
SHA25623801684937fd06d0d00b5321517e3869e7c614e3401099f1d040498c7147f89
SHA512f40dc22b8c1a503ce0d68a691b28c715df5cf037a937bf4cb8e1942b774d74951da4863b2ca8fad31cf7033a99c9d54fb940a8e267d125f70a16e6b4e75143e5
-
Filesize
22KB
MD592dc6ef532fbb4a5c3201469a5b5eb63
SHA13e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA2569884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA5129908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3
-
Filesize
6KB
MD5c0cce6e6ea0444b77d938671beb6269a
SHA1480120d268d9bb763241301e95ee340c38b73e71
SHA2569473cb7259c02a227cd61df613dacacbbd54b7ae1f465cd46feeeab7a74d0b41
SHA5121bdfea634bbf0ed637ac7d28b315006e05db9fd70ee1ab855448d12ae9b3cfe226b54e064c289b3e3a9e46d182616ce55ddcb0b9ef53ad84f8d41a09cb469754
-
Filesize
385KB
MD592c2e247392e0e02261dea67e1bb1a5e
SHA1db72fed8771364bf8039b2bc83ed01dda2908554
SHA25625fdb94e386f8a41f10aba00ed092a91b878339f8e256a7252b11169122b0a68
SHA512e938d2a1870ccb437d818b5301e6ecffaa6efbf4f0122e1a1ae0981057d7d0376039ea927c6fd326456da2d6904803fca26b87245367a4c5de2aebc47bdcd4b5
-
\Users\Admin\AppData\Local\Temp\is-SP4AA.tmp\212233c1038ede44ca3833081b8e6a4e75c656abe884aac412bef2b5b2dd51a6N.tmp
Filesize943KB
MD5603d510b304d2ebbc55d3cf4d049b6ff
SHA1bd028110aa4d0179e3e04854c9279b0f5e2d895e
SHA2560963beb22fe4b5d52bc5b10adc63c72a379a3bbed138273aeffa502ecc7feeb2
SHA5128ea32b11988003ccf67dddfd3cb46edc8b6b8135e6aba2bb0251ff55a25224f94e5bae8c64199f8c5b8046bbb42d77c34f7a4d74058b5afe2a6d9238d4688475